Eckhart's video demonstration reveals the logging output of an HTC Android device, which clearly shows that Carrier IQ's software is called when most buttons are pressed, when an SMS is received, and when a website is visited. Importantly, he demonstrates that visiting a supposedly encrypted SSL-secured site still delivers the URI to the Carrier IQ agent. The information given to Carrier IQ's agent on the phone occurs prior to the actual request, as a keylogger would do.

So far, AT&T, Sprint, T-Mobile, HTC, and Samsung have confirmed that their phones include the tracking software; it appears to be disabled on the iPhone, and RIM has denied that the Carrier IQ software is on the BlackBerry. Nonetheless, it seems clear that a whole bunch of smartphone users have been carrying around a device that has been watching their every mobile move -- including their location. Armed with this information, it's trivial to know where any given person carrying that phone is at any given time, who they're calling, what they're texting, and so on and so forth. Essentially, it's not just a keylogger -- it's a lifelogger.

Ostensibly, the Carrier IQ software enables carriers to gather data about the performance of their network, which could be considered a useful and pertinent tool. However, collecting data on the user's every move -- including unencrypted URI strings used on SSL sites -- goes way too far. But heck, Carrier IQ even boasts about that on its site:

IQ Insight Experience Manager uses data directly from the mobile phone itself to give a precise view of how users interact with both their phones and the services delivered through them, even if the phone is not communicating with the network. ... Identify exactly how your customers interact with services and which ones they use. See which content they consume, even offline.